Merge pull request #822 from edx/dcs/mat-16

Added HTTP Strict Transport Security headers to ensure clients always

playbooks/roles/nginx/templates/cms.j2

@@ -20,6 +20,8 @@ server {
 
   ssl_certificate /etc/ssl/certs/{{ NGINX_SSL_CERTIFICATE|basename }};
   ssl_certificate_key /etc/ssl/private/{{ NGINX_SSL_KEY|basename }};
+  # request the browser to use SSL for all connections
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
 
   {% else %}
   listen {{EDXAPP_CMS_NGINX_PORT}} {{default_site}};

playbooks/roles/nginx/templates/lms-preview.j2

@@ -15,6 +15,8 @@ server {
   # CMS requires larger value for course assest, values provided
   # via hiera.
   client_max_body_size 4M;
+  # request the browser to use SSL for all connections
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
 
   rewrite ^(.*)/favicon.ico$ /static/images/favicon.ico last;
 

playbooks/roles/nginx/templates/lms.j2

@@ -20,6 +20,8 @@ server {
 
   ssl_certificate /etc/ssl/certs/{{ NGINX_SSL_CERTIFICATE|basename }};
   ssl_certificate_key /etc/ssl/private/{{ NGINX_SSL_KEY|basename }};
+  # request the browser to use SSL for all connections
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
 
   {% else %}
   listen {{EDXAPP_LMS_NGINX_PORT}} {{default_site}};